Cybersecurity experts have told Reuters that law enforcement officials from multiple countries were involved in the disruption of the REvil ransomware gang, which went dark for the second time on Sunday.
Rumors and questions about the group’s most recent disappearance dominated conversation this week after Recorded Future security expert Dmitry Smilyanets shared multiple messages on Twitter from ‘0_neday’ — a known REvil operator — discussing what happened on the cybercriminal forum XSS. He claimed someone took control of the group’s Tor payment portal and data leak website.
In the messages, 0_neday explains that he and “Unknown” — a leading representative of the group — were the only two members of the gang who had REvil’s domain keys. “Unknown” disappeared in July, leaving the other members of the group to assume he died.
The group resumed operations in September, but this weekend, 0_neday wrote that the REvil domain had been accessed using the keys of “Unknown.”
In another message, 0_neday said, “The server was compromised, and they were looking for me. To be precise, they deleted the path to my hidden service in the torrc file and raised their own so that I would go there. I checked on others — this was not. Good